2014-05-28 23:20 GMT+02:00 chili_confits <[email protected]>: > I have enabled gzip with > ... > gzip on; > gzip_http_version 1.0; > gzip_vary on; > ... > to satisfy incoming HTTP 1.0 requests. > > In a very similiar setup which got OWASP-evaluated, I read this - marked as > a defect: > "The web server sent a Vary header, which indicates that server-driven > negotiation was done to determine which content should be delivered. This > may indicate that different content is available based on the headers in the > HTTP request." > IMHO this is a false positive ...
Do not suppress header »Vary« or you will run into problems with proxies, which would otherwise always serve the file gzip-ped regardless of a requester indicating support or lack thereof. Nginx does no content negotiation to the extend which would reveal that »/config.inc« exists if »/config« were requested with the intend to get »/config.css«. As you can see, even this example is far-fetched. -- Mark _______________________________________________ nginx mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx
